[github] Manage private secrets with GitHub Secrets to enhance security

1. Restore the original simple version of `configure.sh`
   Restores 08e37f4 "Refactor configure.sh"
   Reverts b87ee95b "Fixed configure.sh script and gh actions"

2. Use GitHub Secrets instead of a private git repository to enhance
   security standards and ensure credentials are encrypted and safely
   managed.

3. Document credentials used by GitHub Actions in docs/CREDENTIALS.md

4. Include `network_security_config.xml` directly into the repo
   as it has nothing sensitive.

5. Include Apple WWDR intermediate certificates directly into the repo
   as they are not sensitive and publicly available.
   https://developer.apple.com/help/account/reference/wwdr-intermediate-certificates

6. Add `private.h` in the repository since it does not differ from
   `private_defaults.h`.

Signed-off-by: Roman Tsisyk <roman@tsisyk.com>

.github/workflows/android-beta.yaml

@@ -56,19 +56,24 @@ jobs:
         shell: bash
         run: git submodule update --depth 1 --init --recursive --jobs=$(($(nproc) * 20))
 
-      - name: Checkout private keys
-        uses: actions/checkout@v4
-        with:
-          repository: ${{ secrets.PRIVATE_REPO }}
-          ssh-key: ${{ secrets.PRIVATE_SSH_KEY }}
-          ref: master
-          path: private.git
-
-      - name: Configure repo with private keys
+      - name: Restore beta keys
         shell: bash
         run: |
-          ./configure.sh ./private.git
-          rm -rf ./private.git
+          echo "$PRIVATE_H" | base64 -d > private.h
+          echo "$FIREBASE_APP_DISTRIBUTION_JSON" | base64 -d > android/app/firebase-app-distribution.json
+          echo "$GOOGLE_SERVICES_JSON" | base64 -d > android/app/google-services.json
+          echo "$SECURE_PROPERTIES" | base64 -d > android/app/secure.properties
+          echo "$RELEASE_KEYSTORE" | base64 -d > android/app/release.keystore
+        env:
+          PRIVATE_H: ${{ secrets.PRIVATE_H }}
+          FIREBASE_APP_DISTRIBUTION_JSON: ${{ secrets.FIREBASE_APP_DISTRIBUTION_JSON }}
+          GOOGLE_SERVICES_JSON: ${{ secrets.GOOGLE_SERVICES_JSON }}
+          SECURE_PROPERTIES: ${{ secrets.SECURE_PROPERTIES }}
+          RELEASE_KEYSTORE: ${{ secrets.RELEASE_KEYSTORE }}
+
+      - name: Configure repository
+        shell: bash
+        run: ./configure.sh
 
       - name: Compile
         shell: bash

.github/workflows/android-check.yaml

@@ -51,7 +51,7 @@ jobs:
         shell: bash
         run: git submodule update --depth 1 --init --recursive --jobs=$(($(nproc) * 20))
 
-      - name: Configure in Open Source mode
+      - name: Configure repository
         shell: bash
         run: ./configure.sh
 
@@ -66,11 +66,11 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        flavor: [WebDebug, FdroidBeta]
+        flavor: [WebDebug, FdroidDebug]
         include:
           - flavor: WebDebug
             arch: arm64
-          - flavor: FdroidBeta
+          - flavor: FdroidDebug
             arch: arm32
     # Cancels previous jobs if the same branch or PR was updated again.
     concurrency:
@@ -93,7 +93,7 @@ jobs:
         shell: bash
         run: git submodule update --depth 1 --init --recursive --jobs=$(($(nproc) * 20))
 
-      - name: Configure in Open Source mode
+      - name: Configure repository
         shell: bash
         run: ./configure.sh
 

.github/workflows/android-monkey.yaml

@@ -56,19 +56,26 @@ jobs:
         shell: bash
         run: git submodule update --depth 1 --init --recursive --jobs=$(($(nproc) * 20))
 
-      - name: Checkout private keys
-        uses: actions/checkout@v4
-        with:
-          repository: ${{ secrets.PRIVATE_REPO }}
-          ssh-key: ${{ secrets.PRIVATE_SSH_KEY }}
-          ref: master
-          path: private.git
-
-      - name: Configure repo with private keys
+      - name: Restore beta keys
         shell: bash
         run: |
-          ./configure.sh ./private.git
-          rm -rf ./private.git
+          echo "$PRIVATE_H" | base64 -d > private.h
+          echo "$FIREBASE_TEST_LAB_JSON" | base64 -d > android/app/firebase-test-lab.json
+          echo "$FIREBASE_APP_DISTRIBUTION_JSON" | base64 -d > android/app/firebase-app-distribution.json
+          echo "$GOOGLE_SERVICES_JSON" | base64 -d > android/app/google-services.json
+          echo "$SECURE_PROPERTIES" | base64 -d > android/app/secure.properties
+          echo "$RELEASE_KEYSTORE" | base64 -d > android/app/release.keystore
+        env:
+          PRIVATE_H: ${{ secrets.PRIVATE_H }}
+          FIREBASE_TEST_LAB_JSON: ${{ secrets.FIREBASE_TEST_LAB_JSON }}
+          FIREBASE_APP_DISTRIBUTION_JSON: ${{ secrets.FIREBASE_APP_DISTRIBUTION_JSON }}
+          GOOGLE_SERVICES_JSON: ${{ secrets.GOOGLE_SERVICES_JSON }}
+          SECURE_PROPERTIES: ${{ secrets.SECURE_PROPERTIES }}
+          RELEASE_KEYSTORE: ${{ secrets.RELEASE_KEYSTORE }}
+
+      - name: Configure repository
+        shell: bash
+        run: ./configure.sh
 
       - name: Compile
         shell: bash

.github/workflows/android-release-metadata.yaml

@@ -26,19 +26,14 @@ jobs:
           ref: master
           path: screenshots
 
-      - name: Checkout private keys
-        uses: actions/checkout@v4
-        with:
-          repository: ${{ secrets.PRIVATE_REPO }}
-          ssh-key: ${{ secrets.PRIVATE_SSH_KEY }}
-          ref: master
-          path: private.git
-
-      - name: Configure repo with private keys
+      - name: Restore release keys
         shell: bash
         run: |
-          ./configure.sh ./private.git
-          rm -rf ./private.git
+          echo "$PRIVATE_H" | base64 -d > private.h
+          echo "$GOOGLE_PLAY_JSON" | base64 -d > android/app/google-play.json
+        env:
+          PRIVATE_H: ${{ secrets.PRIVATE_H }}
+          GOOGLE_PLAY_JSON: ${{ secrets.GOOGLE_PLAY_JSON }}
 
       - name: Upload
         shell: bash

.github/workflows/android-release.yaml

@@ -100,19 +100,26 @@ jobs:
           ref: master
           path: screenshots
 
-      - name: Checkout private keys
-        uses: actions/checkout@v4
-        with:
-          repository: ${{ secrets.PRIVATE_REPO }}
-          ssh-key: ${{ secrets.PRIVATE_SSH_KEY }}
-          ref: master
-          path: private.git
-
-      - name: Configure repo with private keys
+      - name: Restore release keys
         shell: bash
         run: |
-          ./configure.sh ./private.git
-          rm -rf ./private.git
+          echo "$PRIVATE_H" | base64 -d > private.h
+          echo "$GOOGLE_PLAY_JSON" | base64 -d > android/app/google-play.json
+          echo "$HUAWEI_APPGALLERY_JSON" | base64 -d > android/app/huawei-appgallery.json
+          echo "$AGCONNECT_SERVICES_JSON" | base64 -d > android/app/agconnect-services.json
+          echo "$SECURE_PROPERTIES" | base64 -d > android/app/secure.properties
+          echo "$RELEASE_KEYSTORE" | base64 -d > android/app/release.keystore
+        env:
+          PRIVATE_H: ${{ secrets.PRIVATE_H }}
+          GOOGLE_PLAY_JSON: ${{ secrets.GOOGLE_PLAY_JSON }}
+          HUAWEI_APPGALLERY_JSON: ${{ secrets.HUAWEI_APPGALLERY_JSON }}
+          AGCONNECT_SERVICES_JSON: ${{ secrets.AGCONNECT_SERVICES_JSON }}
+          SECURE_PROPERTIES: ${{ secrets.SECURE_PROPERTIES }}
+          RELEASE_KEYSTORE: ${{ secrets.RELEASE_KEYSTORE }}
+
+      - name: Configure repository
+        shell: bash
+        run: ./configure.sh
 
       - name: Set up SDK
         shell: bash

.github/workflows/coverage-check.yaml

@@ -94,7 +94,7 @@ jobs:
               llvm \
               gcovr
 
-      - name: Configure
+      - name: Configure repository
         shell: bash
         run: ./configure.sh
 

.github/workflows/ios-beta.yaml

@@ -52,18 +52,23 @@ jobs:
       - name: Parallel submodules checkout
         run: git submodule update --depth 1 --init --recursive --jobs=$(($(sysctl -n hw.logicalcpu) * 20))
 
-      - name: Checkout private keys
-        uses: actions/checkout@v4
-        with:
-          repository: ${{ secrets.PRIVATE_REPO }}
-          ssh-key: ${{ secrets.PRIVATE_SSH_KEY }}
-          ref: master
-          path: private.git
-
-      - name: Configure repo with private keys
+      - name: Restore beta keys
+        shell: bash
         run: |
-          ./configure.sh ./private.git
-          rm -rf ./private.git
+          mkdir -p xcode/keys
+          echo "$PRIVATE_H" | base64 -d > private.h
+          echo "$APPSTORE_JSON" | base64 -d > xcode/keys/appstore.json
+          echo "$CERTIFICATES_DEV_P12" | base64 -d > xcode/keys/CertificatesDev.p12
+          echo "$CERTIFICATES_DISTR_P12" | base64 -d > xcode/keys/CertificatesDistr.p12
+        env:
+          PRIVATE_H: ${{ secrets.PRIVATE_H }}
+          APPSTORE_JSON: ${{ secrets.APPSTORE_JSON }}
+          CERTIFICATES_DEV_P12: ${{ secrets.CERTIFICATES_DEV_P12 }}
+          CERTIFICATES_DISTR_P12: ${{ secrets.CERTIFICATES_DISTR_P12 }}
+
+      - name: Configure repository
+        shell: bash
+        run: ./configure.sh
 
       - name: Compile and upload to TestFlight
         run: |

.github/workflows/ios-check.yaml

@@ -59,7 +59,7 @@ jobs:
         shell: bash
         run: git submodule update --depth 1 --init --recursive --jobs=$(($(sysctl -n hw.logicalcpu) * 20))
 
-      - name: Configure
+      - name: Configure repository
         shell: bash
         run: ./configure.sh
 

.github/workflows/ios-release.yaml

@@ -16,20 +16,13 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Checkout private keys
-        uses: actions/checkout@v4
-        with:
-          repository: ${{ secrets.PRIVATE_REPO }}
-          ssh-key: ${{ secrets.PRIVATE_SSH_KEY }}
-          ref: master
-          path: ./private.git
-
-      - name: Configure repo with private keys
+      - name: Restore release keys
         shell: bash
         run: |
-          mkdir -p xcode/keys/
-          cp -p ./private.git/xcode/keys/appstore.json xcode/keys/
-          rm -rf ./private.git
+          mkdir -p xcode/keys
+          echo "$APPSTORE_JSON" | base64 -d > xcode/keys/appstore.json
+        env:
+          APPSTORE_JSON: ${{ secrets.APPSTORE_JSON }}
 
       - name: Checkout screenshots
         uses: actions/checkout@v4

.github/workflows/linux-check.yaml

@@ -67,7 +67,7 @@ jobs:
               libqt6positioning6-plugins \
               libqt6positioning6
 
-      - name: Configure
+      - name: Configure repository
         shell: bash
         run: ./configure.sh
 
@@ -134,7 +134,7 @@ jobs:
               libqt6positioning6-plugins \
               libqt6positioning6
 
-      - name: Configure
+      - name: Configure repository
         shell: bash
         run: ./configure.sh
 

.github/workflows/macos-check.yaml

@@ -57,7 +57,7 @@ jobs:
         run: |
           HOMEBREW_NO_INSTALLED_DEPENDENTS_CHECK=1 brew install ninja qt@6
 
-      - name: Configure
+      - name: Configure repository
         shell: bash
         run: ./configure.sh
 

android/app/build.gradle

@@ -45,7 +45,6 @@ repositories {
 }
 
 apply plugin: 'com.android.application'
-apply from: 'secure.properties'
 if (googleFirebaseServicesEnabled) {
   apply plugin: 'com.google.gms.google-services'
   apply plugin: 'com.google.firebase.crashlytics'
@@ -247,6 +246,11 @@ android {
     }
   }
 
+  def securityPropertiesFileExists = file('secure.properties').exists()
+  if (securityPropertiesFileExists) {
+    apply from: 'secure.properties'
+  }
+
   signingConfigs {
     debug {
       storeFile file('debug.keystore')
@@ -256,10 +260,15 @@ android {
     }
 
     release {
-      storeFile file(spropStoreFile)
-      storePassword spropStorePassword
-      keyAlias spropKeyAlias
-      keyPassword spropKeyPassword
+      if (securityPropertiesFileExists) {
+        println('The release signing keys are available')
+        storeFile file(spropStoreFile)
+        storePassword spropStorePassword
+        keyAlias spropKeyAlias
+        keyPassword spropKeyPassword
+      } else {
+        println('The release signing keys are unavailable')
+      }
     }
   }
 

android/app/src/main/res/xml/network_security_config.xml

@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="utf-8"?>
+<network-security-config>
+  <base-config cleartextTrafficPermitted="true">
+    <trust-anchors>
+      <!-- Certificates are required for Android 7 and below. See the link for details:
+           https://community.letsencrypt.org/t/letsencrypt-certificates-fails-on-android-phones-running-android-7-or-older/205686 -->
+      <certificates src="@raw/isrgrootx1" />
+      <certificates src="@raw/globalsignr4" />
+      <certificates src="@raw/gtsrootr1" />
+      <certificates src="@raw/gtsrootr2" />
+      <certificates src="@raw/gtsrootr3" />
+      <certificates src="@raw/gtsrootr4" />
+      <certificates src="system" />
+    </trust-anchors>
+  </base-config>
+  <domain-config cleartextTrafficPermitted="true">
+    <domain includeSubdomains="true">organicmaps.app</domain>
+    <domain includeSubdomains="true">omaps.app</domain>
+  </domain-config>
+</network-security-config>

configure.sh

@@ -1,171 +1,17 @@
 #!/usr/bin/env bash
+#
 # Please run this script to configure the repository after cloning it.
+#
 
-# When configuring with private repository, the following override hierarchy is used:
-# - commandline parameters - most specific, always wins.
-# - stdin parameters.
-# - saved repository - least specific, if present.
-# - fallback to opensource mode.
+set -euo pipefail
 
-# Stop on the first error.
-set -e -u
+echo "Configuring the repository for development."
 
-BASE_PATH=$(cd "$(dirname "$0")"; pwd)
-
-DEFAULT_PRIVATE_HEADER="$BASE_PATH/private_default.h"
-PRIVATE_HEADER="private.h"
-PRIVATE_PROPERTIES="android/app/secure.properties"
-PRIVATE_NETWORK_CONFIG="android/app/src/main/res/xml/network_security_config.xml"
-PRIVATE_GOOGLE_SERVICES="android/app/google-services.json"
-
-SAVED_PRIVATE_REPO_FILE="$BASE_PATH/.private_repository_url"
-SAVED_PRIVATE_BRANCH_FILE="$BASE_PATH/.private_repository_branch"
-TMP_REPO_DIR="$BASE_PATH/.tmp.private.repo"
-
-usage() {
-  echo "This tool configures Organic Maps for an opensource build by default"
-  echo "and bootstraps the Boost submodule after that."
-  echo
-  echo "To e.g. publish in app stores populate following configs with your own private keys etc."
-  echo "  $PRIVATE_HEADER"
-  echo "  $PRIVATE_PROPERTIES"
-  echo "  $PRIVATE_NETWORK_CONFIG"
-  echo "  $PRIVATE_GOOGLE_SERVICES"
-  echo "The tool can copy over the necessary configs from a given private repo and a branch"
-  echo "(it copies all files except README.md)."
-  echo "It remembers the repo and the branch to pull the config changes automatically on next run."
-  echo
-  echo "Usage:"
-  echo "  $0 private_repo_url [private_repo_branch]  - copy configs from a private repo (master is the default branch)"
-  echo "  echo 'private_repo_url [private_repo_branch]' | $0  - alternate invocation for private repo configuration"
-  echo "  $0  - use a saved repo and a branch if present or default to an opensource build configs"
-  echo ""
-}
-
-setup_opensource() {
-  echo "Initializing repository with default values in Open-Source mode."
-  cat "$DEFAULT_PRIVATE_HEADER" > "$BASE_PATH/$PRIVATE_HEADER"
-  echo 'ext {
-  spropStoreFile = "debug.keystore"
-  spropStorePassword = "12345678"
-  spropKeyAlias = "debug"
-  spropKeyPassword = "12345678"
-}
-' > "$BASE_PATH/$PRIVATE_PROPERTIES"
-  echo '<?xml version="1.0" encoding="utf-8"?>
-<network-security-config>
-  <base-config>
-    <trust-anchors>
-      <!-- Certificates are required for Android 7 and below. See the link for details:
-           https://community.letsencrypt.org/t/letsencrypt-certificates-fails-on-android-phones-running-android-7-or-older/205686 -->
-      <certificates src="@raw/isrgrootx1" />
-      <certificates src="@raw/globalsignr4" />
-      <certificates src="@raw/gtsrootr1" />
-      <certificates src="@raw/gtsrootr2" />
-      <certificates src="@raw/gtsrootr3" />
-      <certificates src="@raw/gtsrootr4" />
-      <certificates src="system" />
-    </trust-anchors>
-  </base-config>
-</network-security-config>
-' > "$BASE_PATH/$PRIVATE_NETWORK_CONFIG"
-  rm -f "$BASE_PATH/$PRIVATE_GOOGLE_SERVICES"
-}
-
-# Clone the private repo and copy all of its files (except README.md) into the main repo
-setup_private() {
-  echo "Copying private configuration files from the repo '$PRIVATE_REPO', branch '$PRIVATE_BRANCH'"
-  set -x
-  rm -rf "$TMP_REPO_DIR"
-  git clone --branch "$PRIVATE_BRANCH" --depth 1 "$PRIVATE_REPO" "$TMP_REPO_DIR"
-  echo "$PRIVATE_REPO" > "$SAVED_PRIVATE_REPO_FILE"
-  echo "$PRIVATE_BRANCH" > "$SAVED_PRIVATE_BRANCH_FILE"
-  echo "Saved private repository url '$PRIVATE_REPO' to '$SAVED_PRIVATE_REPO_FILE'"
-  echo "Saved private branch '$PRIVATE_BRANCH' to '$SAVED_PRIVATE_BRANCH_FILE'"
-  cd $TMP_REPO_DIR
-  rm -rf "$TMP_REPO_DIR/.git" "$TMP_REPO_DIR/README.md"
-  cp -Rv "$TMP_REPO_DIR"/* "$BASE_PATH"
-  rm -rf "$TMP_REPO_DIR"
-  # Remove old android secrets during the transition period to the new project structure
-  echo "Removing keys from old locations"
-  rm -f android/release.keystore \
-        android/secure.properties \
-        android/libnotify.properties \
-        android/google-services.json \
-        android/google-play.json \
-        android/firebase-app-distribution.json \
-        android/firebase-test-lab.json \
-        android/huawei-appgallery.json \
-        android/res/xml/network_security_config.xml
-  set +x
-  echo "Private files have been updated."
-}
-
-if [ "${1-}" = "-h" -o "${1-}" = "--help" ]; then
-  usage
-  exit 1
+if [ ! -d 3party/boost/tools ]; then
+  git submodule update --init --recursive
 fi
-
-ARGS_PRIVATE_REPO=${1-}
-ARGS_PRIVATE_BRANCH=${2-}
-
-if [ -n "$ARGS_PRIVATE_REPO" ]; then
-  PRIVATE_REPO=$ARGS_PRIVATE_REPO
-  if [ -n "$ARGS_PRIVATE_BRANCH" ]; then
-    PRIVATE_BRANCH=$ARGS_PRIVATE_BRANCH
-  else
-    PRIVATE_BRANCH=master
-  fi
-else
-  read -t 1 READ_PRIVATE_REPO READ_PRIVATE_BRANCH || true
-  if [ -n "${READ_PRIVATE_REPO-}" ]; then
-    PRIVATE_REPO=$READ_PRIVATE_REPO
-    if [ -n "${READ_PRIVATE_BRANCH-}" ]; then
-      PRIVATE_BRANCH=$READ_PRIVATE_BRANCH
-    else
-      PRIVATE_BRANCH=master
-    fi
-  elif [ -f "$SAVED_PRIVATE_REPO_FILE" ]; then
-    PRIVATE_REPO=`cat "$SAVED_PRIVATE_REPO_FILE"`
-    echo "Using stored private repository URL: $PRIVATE_REPO"
-    if [ -f "$SAVED_PRIVATE_BRANCH_FILE" ]; then
-      PRIVATE_BRANCH=`cat "$SAVED_PRIVATE_BRANCH_FILE"`
-      echo "Using stored private branch: $PRIVATE_BRANCH"
-    else
-      PRIVATE_BRANCH=master
-    fi
-  else
-    PRIVATE_REPO=""
-  fi
-fi
-
-if [ -n "$PRIVATE_REPO" ]; then
-  setup_private
-else
-  setup_opensource
-fi
-
-# TODO: Remove these lines when XCode project is finally generated by CMake.
-if [ ! -d "$BASE_PATH/3party/boost/" ]; then
-  echo "You need to have Boost submodule present to run bootstrap.sh"
-  echo "Try 'git submodule update --init --recursive'"
-  exit 1
-fi
-if [ ! -d "$BASE_PATH/3party/boost/tools" ]; then
-  echo "Boost's submodule 'tools' is missing, it is required for bootstrap"
-  echo "Try 'git submodule update --init --recursive'"
-  exit 1
-fi
-
-cd "$BASE_PATH/3party/boost/"
-if [[ "$OSTYPE" == msys ]]; then
-  echo "For Windows please run:"
-  echo "cd 3party\\boost"
-  echo "bootstrap.bat"
-  echo "b2 headers"
-  echo "cd ..\\.."
-else
-  ./bootstrap.sh
-  ./b2 headers
-fi
-cd "$BASE_PATH"
+pushd 3party/boost/
+./bootstrap.sh
+./b2 headers
+popd
+echo "The repository is configured for development."

docs/CREDENTIALS.md

@@ -0,0 +1,127 @@
+This file contains a list of all sensitive credentials, access keys, authentication tokens, and security certificates used by CI/CD (Github Actions).
+
+- [PRIVATE\_H](#private_h)
+- [RELEASE\_KEYSTORE](#release_keystore)
+- [SECURE\_PROPERTIES](#secure_properties)
+- [FIREBASE\_APP\_DISTRIBUTION\_JSON](#firebase_app_distribution_json)
+- [FIREBASE\_TEST\_LAB\_JSON](#firebase_test_lab_json)
+- [GOOGLE\_SERVICES\_JSON](#google_services_json)
+- [GOOGLE\_PLAY\_JSON](#google_play_json)
+- [HUAWEI\_APPGALLERY\_JSON](#huawei_appgallery_json)
+- [AGCONNECT\_SERVICES\_JSON](#agconnect_services_json)
+- [APPSTORE\_JSON](#appstore_json)
+- [CERTIFICATES\_DEV\_P12](#certificates_dev_p12)
+- [CERTIFICATES\_DISTR\_P12](#certificates_distr_p12)
+- [APPSTORE\_CERTIFICATE\_PASSWORD](#appstore_certificate_password)
+
+## PRIVATE_H
+
+Shared compile-time secrets for all platforms.
+
+```bash
+gh secret set PRIVATE_H --env beta --body "$(base64 < private.h)"
+gh secret set PRIVATE_H --env production --body "$(base64 < private.h)"
+```
+
+## RELEASE_KEYSTORE
+
+Android Java-compatible keystore with certificates used for signing APKs.
+
+```bash
+gh secret set RELEASE_KEYSTORE --env beta --body "$(base64 < android/app/release.keystore)"
+gh secret set RELEASE_KEYSTORE --env production --body "$(base64 < android/app/release.keystore)"
+```
+
+## SECURE_PROPERTIES
+
+Android Gradle configuration file containing the passwords for the `release.keystore`.
+
+```bash
+gh secret set SECURE_PROPERTIES --env beta --body "$(base64 < android/app/secure.properties)"
+gh secret set SECURE_PROPERTIES --env production --body "$(base64 < android/app/secure.properties)"
+```
+
+## FIREBASE_APP_DISTRIBUTION_JSON
+
+Credentials for uploading betas to Google Firebase App Distribution.
+
+```bash
+gh secret set FIREBASE_APP_DISTRIBUTION_JSON --env beta --body "$(base64 < android/app/firebase-app-distribution.json)"
+```
+
+## FIREBASE_TEST_LAB_JSON
+
+Credentials for using Firebase Test Lab ("Monkey").
+
+```bash
+gh secret set FIREBASE_TEST_LAB_JSON --env beta --body "$(base64 < android/app/firebase-test-lab.json)"
+```
+
+## GOOGLE_SERVICES_JSON
+
+Credentials for using Firebase Crashlytics.
+
+```bash
+gh secret set GOOGLE_SERVICES_JSON --env beta --body "$(base64 < android/app/google-services.json)"
+```
+
+## GOOGLE_PLAY_JSON
+
+Credentials for uploading Android releases to Google Play.
+
+```bash
+gh secret set GOOGLE_PLAY_JSON --env production --body "$(base64 < android/app/google-play.json)"
+```
+
+## HUAWEI_APPGALLERY_JSON
+
+Credentials for uploading Android releases to Huawei AppGallery.
+
+```bash
+gh secret set HUAWEI_APPGALLERY_JSON --env production --body "$(base64 < android/app/huawei-appgallery.json)"
+```
+
+## AGCONNECT_SERVICES_JSON
+
+Credentials for Huawei Mobile Services (HMS) to use Location Kit (not yet finished).
+
+```bash
+gh secret set AGCONNECT_SERVICES_JSON --env beta --body "$(base64 < android/app/agconnect-services.json)"
+gh secret set AGCONNECT_SERVICES_JSON --env production --body "$(base64 < android/app/agconnect-services.json)"
+```
+
+## APPSTORE_JSON
+
+Credentials for uploading iOS releases to Apple AppStore Connect.
+
+```bash
+gh secret set APPSTORE_JSON --env beta --body "$(base64 < xcode/keys/appstore.json)"
+gh secret set APPSTORE_JSON --env production --body "$(base64 < xcode/keys/appstore.json)"
+```
+
+## CERTIFICATES_DEV_P12
+
+Credentials for signing iOS releases - dev keys.
+
+```bash
+gh secret set CERTIFICATES_DEV_P12 --env beta --body "$(base64 < xcode/keys/CertificatesDev.p12)"
+gh secret set CERTIFICATES_DEV_P12 --env production --body "$(base64 < xcode/keys/CertificatesDev.p12)"
+```
+
+## CERTIFICATES_DISTR_P12
+
+Credentials for signing iOS releases - AppStore keys.
+
+```bash
+gh secret set CERTIFICATES_DISTR_P12 --env beta --body "$(base64 < xcode/keys/CertificatesDistr.p12)"
+gh secret set CERTIFICATES_DISTR_P12 --env production --body "$(base64 < xcode/keys/CertificatesDistr.p12)"
+```
+
+## APPSTORE_CERTIFICATE_PASSWORD
+
+Password for `CertificatesDistr.p12`.
+
+```bash
+gh secret set APPSTORE_CERTIFICATE_PASSWORD --env beta
+gh secret set APPSTORE_CERTIFICATE_PASSWORD --env production
+```

private.h

@@ -9,8 +9,9 @@
 #define MWM_GEOLOCATION_SERVER ""
 #define METASERVER_URL "https://meta.omaps.app/maps"
 #define DIFF_LIST_URL ""
-#define DEFAULT_URLS_JSON "[ \"https://cdn.organicmaps.app/\" ]"
-#define DEFAULT_CONNECTION_CHECK_IP "140.82.121.4"  // For now the IP of cdn.organicmaps.app
+#define DEFAULT_URLS_JSON "[ \"https://cdn-de1.organicmaps.app/\",\"https://cdn-us3.organicmaps.app/\",\"https://cdn-nl1.organicmaps.app/\",\"https://cdn-uk1.organicmaps.app/\",\"https://cdn-fi1.organicmaps.app/\",\"https://cdn.organicmaps.app/\" ]"
+#define DEFAULT_CONNECTION_CHECK_IP "65.108.198.117"  // For now the IP of cdn.organicmaps.app
 #define TRAFFIC_DATA_BASE_URL ""
 #define USER_BINDING_PKCS12 ""
 #define USER_BINDING_PKCS12_PASSWORD ""
+#define KAYAK_AFFILIATE_ID "kan_267335"

xcode/fastlane/Fastfile

@@ -35,6 +35,16 @@ platform :ios do
         keychain_name: ENV['MATCH_KEYCHAIN_NAME'],
         keychain_password: ENV['MATCH_KEYCHAIN_PASSWORD']
       )
+      import_certificate(
+        certificate_path: 'keys/Apple/AppleWWDRCAG7.cer',
+        keychain_name: ENV['MATCH_KEYCHAIN_NAME'],
+        keychain_password: ENV['MATCH_KEYCHAIN_PASSWORD']
+      )
+      import_certificate(
+        certificate_path: 'keys/Apple/AppleWWDRCAG8.cer',
+        keychain_name: ENV['MATCH_KEYCHAIN_NAME'],
+        keychain_password: ENV['MATCH_KEYCHAIN_PASSWORD']
+      )
       # Organic Maps certificates.
       import_certificate(
         certificate_path: 'keys/CertificatesDev.p12',